Impact
Unauthenticated PHP Object Injection in versions of the Kapee WordPress theme prior to 1.7.0 allows an attacker to inject a serialized PHP object into the application. The vulnerability is classified as CWE‑502 and can lead to arbitrary code execution or other persistent compromise of the affected site. The impact is significant, as it would give an attacker full control over the impacted WordPress installation.
Affected Systems
The affected product is the Kapee theme developed by PressLayouts. All installations running any Kapee version earlier than 1.7.0 are vulnerable; the change log confirms that the fix is included in the first release of 1.7.0.
Risk and Exploitability
The CVSS v3.1 score of 8.1 indicates a high severity. The EPSS score of less than 1% suggests that concrete exploitation attempts are currently rare, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, because the flaw permits unauthenticated exploitation and can result in remote code execution, the risk remains high. The likely attack vector involves submitting a crafted serialized object through HTTP requests that the theme processes, a technique that does not require elevated privileges on the site.
OpenCVE Enrichment